Vendor CVEs
Joomla
All CVEs
1,051 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-10033 | Cri | 0.80 | 9.8 | 1.00 | KEV | Dec 30, 2016 | The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. | |
| CVE-2026-48907 | Cri | 0.77 | — | 0.80 | KEV | Jun 5, 2026 | A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution. | |
| CVE-2017-8917 | Cri | 0.75 | 9.8 | 1.00 | May 17, 2017 | SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors. | ||
| CVE-2016-8869 | Cri | 0.74 | 9.8 | 0.97 | Nov 4, 2016 | The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site. | ||
| CVE-2018-17254 | Cri | 0.73 | 9.8 | 0.83 | Sep 20, 2018 | The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter. | ||
| CVE-2018-7314 | Cri | 0.71 | 9.8 | 0.60 | Feb 22, 2018 | SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429. | ||
| CVE-2018-6605 | Cri | 0.71 | 9.8 | 0.58 | Feb 5, 2018 | SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request. | ||
| CVE-2018-6580 | Cri | 0.70 | 9.8 | 0.37 | Feb 2, 2018 | Arbitrary file upload exists in the Jimtawl 2.1.6 and 2.2.5 component for Joomla! via a view=upload&task=upload&pop=true&tmpl=component request. | ||
| CVE-2018-6396 | Cri | 0.69 | 9.8 | 0.24 | Feb 17, 2018 | SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action. | ||
| CVE-2018-7313 | Cri | 0.68 | 9.8 | 0.20 | Feb 22, 2018 | SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via the searchtext array parameter. | ||
| CVE-2016-10045 | Cri | 0.68 | 9.8 | 0.98 | Dec 30, 2016 | The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail… | ||
| CVE-2018-17397 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for Joomla! via the letter parameter. | ||
| CVE-2018-17394 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Timetable Schedule 3.6.8 component for Joomla! via the eid parameter. | ||
| CVE-2018-17385 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter. | ||
| CVE-2018-17384 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter. | ||
| CVE-2018-17383 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter. | ||
| CVE-2018-17380 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter. | ||
| CVE-2018-17379 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter. | ||
| CVE-2018-17377 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Questions 1.4.3 component for Joomla! via the term, userid, users, or groups parameter. | ||
| CVE-2018-17376 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter. | ||
| CVE-2018-17375 | Cri | 0.67 | 9.8 | 0.03 | Sep 28, 2018 | SQL Injection exists in the Music Collection 3.0.3 component for Joomla! via the id parameter. | ||
| CVE-2018-7319 | Cri | 0.67 | 9.8 | 0.02 | Feb 22, 2018 | SQL Injection exists in the OS Property Real Estate 3.12.7 component for Joomla! via the cooling_system1, heating_system1, or laundry parameter. | ||
| CVE-2018-7318 | Cri | 0.67 | 9.8 | 0.09 | Feb 22, 2018 | SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter. | ||
| CVE-2018-7316 | Cri | 0.67 | 9.8 | 0.09 | Feb 22, 2018 | Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla! via a mediafileform action. | ||
| CVE-2018-7315 | Cri | 0.67 | 9.8 | 0.03 | Feb 22, 2018 | SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via the gender, age1, age2, religion, mothertounge, caste, or country parameter. | ||
| CVE-2018-7312 | Cri | 0.67 | 9.8 | 0.03 | Feb 22, 2018 | SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter. | ||
| CVE-2018-6024 | Cri | 0.67 | 9.8 | 0.03 | Feb 18, 2018 | SQL Injection exists in the Project Log 1.5.3 component for Joomla! via the search parameter. | ||
| CVE-2018-7179 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! via the id parameter. | ||
| CVE-2018-7177 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the Saxum Numerology 3.0.4 component for Joomla! via the publicid parameter. | ||
| CVE-2018-6394 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the InviteX 3.0.5 component for Joomla! via the invite_type parameter in a view=invites action. | ||
| CVE-2018-6373 | Cri | 0.67 | 9.8 | 0.02 | Feb 17, 2018 | SQL Injection exists in the Fastball 2.5 component for Joomla! via the season parameter in a view=player action. | ||
| CVE-2018-6372 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the JB Bus 2.3 component for Joomla! via the order_number parameter. | ||
| CVE-2018-6370 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the NeoRecruit 4.1 component for Joomla! via the (1) PATH_INFO or (2) name of a .html file under the all-offers/ URI. | ||
| CVE-2018-6005 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the Realpin through 1.5.04 component for Joomla! via the pinboard parameter. | ||
| CVE-2018-6004 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter. | ||
| CVE-2018-5994 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via the zipcode parameter in a newest-jobs request, or the ta parameter in a view_resume request. | ||
| CVE-2018-5992 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the Staff Master through 1.0 RC 1 component for Joomla! via the name parameter in a view=staff request. | ||
| CVE-2018-5991 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798. | ||
| CVE-2018-5990 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter. | ||
| CVE-2018-5989 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the ccNewsletter 2.x component for Joomla! via the id parameter in a task=removeSubscriber action, a related issue to CVE-2011-5099. | ||
| CVE-2018-5987 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 component for Joomla! via the pin_id or user_id parameter in a task=getlikeinfo action, the ends parameter in a view=gift action, the category parameter in a view=home action, the uid parameter in a view=pindisplay… | ||
| CVE-2018-5982 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request. | ||
| CVE-2018-5980 | Cri | 0.67 | 9.8 | 0.04 | Feb 17, 2018 | SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action. | ||
| CVE-2018-5975 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI. | ||
| CVE-2018-5974 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter. | ||
| CVE-2018-5971 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter. | ||
| CVE-2018-5970 | Cri | 0.67 | 9.8 | 0.03 | Feb 17, 2018 | SQL Injection exists in the JGive 2.0.9 component for Joomla! via the filter_org_ind_type or campaign_countries parameter. | ||
| CVE-2018-6609 | Cri | 0.67 | 9.8 | 0.03 | Feb 5, 2018 | SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action. | ||
| CVE-2018-6581 | Cri | 0.67 | 9.8 | 0.03 | Feb 2, 2018 | SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via a search with the keyword, artist, or username parameter. | ||
| CVE-2018-6579 | Cri | 0.67 | 9.8 | 0.04 | Feb 2, 2018 | SQL Injection exists in the JEXTN Reverse Auction 3.1.0 component for Joomla! via a view=products&uid= request. |
- risk 0.80cvss 9.8epss 1.00
The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property.
- risk 0.77cvss —epss 0.80
A vulnerability in the JCE editor extension for Joomla allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution.
- risk 0.75cvss 9.8epss 1.00
SQL injection vulnerability in Joomla! 3.7.x before 3.7.1 allows attackers to execute arbitrary SQL commands via unspecified vectors.
- risk 0.74cvss 9.8epss 0.97
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.
- risk 0.73cvss 9.8epss 0.83
The JCK Editor component 6.4.4 for Joomla! allows SQL Injection via the jtreelink/dialogs/links.php parent parameter.
- risk 0.71cvss 9.8epss 0.60
SQL Injection exists in the PrayerCenter 3.0.2 component for Joomla! via the sessionid parameter, a different vulnerability than CVE-2008-6429.
- risk 0.71cvss 9.8epss 0.58
SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.
- risk 0.70cvss 9.8epss 0.37
Arbitrary file upload exists in the Jimtawl 2.1.6 and 2.2.5 component for Joomla! via a view=upload&task=upload&pop=true&tmpl=component request.
- risk 0.69cvss 9.8epss 0.24
SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action.
- risk 0.68cvss 9.8epss 0.20
SQL Injection exists in the CW Tags 2.0.6 component for Joomla! via the searchtext array parameter.
- risk 0.68cvss 9.8epss 0.98
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail…
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the AlphaIndex Dictionaries 1.0 component for Joomla! via the letter parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Timetable Schedule 3.6.8 component for Joomla! via the eid parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Social Factory 3.8.3 component for Joomla! via the radius[lat], radius[lng], or radius[radius] parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Swap Factory 2.2.1 component for Joomla! via the filter_order_Dir or filter_order parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Collection Factory 4.1.9 component for Joomla! via the filter_order or filter_order_Dir parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Article Factory Manager 4.3.9 component for Joomla! via the start_date, m_start_date, or m_end_date parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Raffle Factory 3.5.2 component for Joomla! via the filter_order_Dir or filter_order parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Questions 1.4.3 component for Joomla! via the term, userid, users, or groups parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Reverse Auction Factory 4.3.8 component for Joomla! via the filter_order_Dir, cat, or filter_letter parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Music Collection 3.0.3 component for Joomla! via the id parameter.
- risk 0.67cvss 9.8epss 0.02
SQL Injection exists in the OS Property Real Estate 3.12.7 component for Joomla! via the cooling_system1, heating_system1, or laundry parameter.
- risk 0.67cvss 9.8epss 0.09
SQL Injection exists in the CheckList 1.1.1 component for Joomla! via the title_search, tag_search, name_search, description_search, or filter_order parameter.
- risk 0.67cvss 9.8epss 0.09
Arbitrary File Upload exists in the Proclaim 9.1.1 component for Joomla! via a mediafileform action.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Ek Rishta 2.9 component for Joomla! via the gender, age1, age2, religion, mothertounge, caste, or country parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Alexandria Book Library 3.1.2 component for Joomla! via the letter parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Project Log 1.5.3 component for Joomla! via the search parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! via the id parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Saxum Numerology 3.0.4 component for Joomla! via the publicid parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the InviteX 3.0.5 component for Joomla! via the invite_type parameter in a view=invites action.
- risk 0.67cvss 9.8epss 0.02
SQL Injection exists in the Fastball 2.5 component for Joomla! via the season parameter in a view=player action.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the JB Bus 2.3 component for Joomla! via the order_number parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the NeoRecruit 4.1 component for Joomla! via the (1) PATH_INFO or (2) name of a .html file under the all-offers/ URI.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Realpin through 1.5.04 component for Joomla! via the pinboard parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the File Download Tracker 3.0 component for Joomla! via the dynfield[phone] or sess parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the JS Jobs 1.1.9 component for Joomla! via the zipcode parameter in a newest-jobs request, or the ta parameter in a view_resume request.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Staff Master through 1.0 RC 1 component for Joomla! via the name parameter in a view=staff request.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Form Maker 3.6.12 component for Joomla! via the id, from, or to parameter in a view=stats request, a different vulnerability than CVE-2015-2798.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the AllVideos Reloaded 1.2.x component for Joomla! via the divid parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the ccNewsletter 2.x component for Joomla! via the id parameter in a task=removeSubscriber action, a related issue to CVE-2011-5099.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Pinterest Clone Social Pinboard 2.0 component for Joomla! via the pin_id or user_id parameter in a task=getlikeinfo action, the ends parameter in a view=gift action, the category parameter in a view=home action, the uid parameter in a view=pindisplay…
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Advertisement Board 3.1.0 component for Joomla! via a task=show_rss_categories&catname= request.
- risk 0.67cvss 9.8epss 0.04
SQL Injection exists in the Solidres 2.5.1 component for Joomla! via the direction parameter in a hub.search action.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the Smart Shoutbox 3.0.0 component for Joomla! via the shoutauthor parameter to the archive URI.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the SimpleCalendar 3.1.9 component for Joomla! via the catid array parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the MediaLibrary Free 4.0.12 component for Joomla! via the id parameter or the mid array parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the JGive 2.0.9 component for Joomla! via the filter_org_ind_type or campaign_countries parameter.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the JSP Tickets 1.1 component for Joomla! via the ticketcode parameter in a ticketlist edit action, or the id parameter in a statuslist (or prioritylist) edit action.
- risk 0.67cvss 9.8epss 0.03
SQL Injection exists in the JMS Music 1.1.1 component for Joomla! via a search with the keyword, artist, or username parameter.
- risk 0.67cvss 9.8epss 0.04
SQL Injection exists in the JEXTN Reverse Auction 3.1.0 component for Joomla! via a view=products&uid= request.
Page 1 of 22